OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

nospamgmail.it
Date: Wed Mar 28 2012 - 12:16:15 CDT


TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest

Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:

..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
        /* VT_BSTR [8] [in] */ $sFilter
        )
{
        /* method OpenFileDlg */
}
..

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C
00127A14 00000003 CodePage = 3
00127A18 00000000 Options = 0
00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 00007532 MultiByteCount = 7532 (30002.)
00127A2C 00000000 pDefaultChar = NULL
00127A30 00000000 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38

..
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00 push 0
0299F93C 6A 00 push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FF push -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00 push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------
..

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
 
As attachment, basic proof of concept code.

original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm

poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm